Lychee icon indicating copy to clipboard operation
Lychee copied to clipboard

Published 20 hours ago verified publisher icon LycheeOrg

[Enhancement] OpenID Connect/SSO support

Open dan-r opened this issue 2 years ago • 5 comments

Is there any plan or want for implementing SSO or another method of automatic external authentication like header auth?

I'm happy to write the feature and raise a PR for this, but am a little unsure on how to handle the 'administrator' access level, as from the current implementation there is only one, whereas with a third party IDP you could potentially have a group of administrators.

dan-r avatar May 15 '23 08:05 dan-r

Hi,

There was a request for for LDAP integration but it ended up being rejected because the author was not complying to our phpstan requests and testing. :(

We do support Header Auth token (if generated by Lychee), but this requires pre-regisration.

I would also suggest you also have a look at: https://laravel.com/docs/10.x/socialite and https://github.com/LycheeOrg/Lychee/issues/792

You will still need to create a user in the Lychee DB (either on successful login to the SSO system) in order to track the rights, that will be the way to define whether admin access are provided or not.

ildyria avatar May 15 '23 09:05 ildyria

@dan-r FYI #2190 will provide Oauth support to major providers (Amazon, Facebook, Google, GitHub, NextCloud, Mastodon, Microsoft).

ildyria avatar Jan 14 '24 20:01 ildyria

@ildyria great news, thanks for letting me know. Sorry I didn't get the chance to take a look at implementing it! I'll give the PR a test.

dan-r avatar Jan 14 '24 20:01 dan-r

To clarify this still requires the user to have an account and then we link it. But now that the ground work is laid down, it should be easy to add a setting to allow creation of accounts on Oauth authentication.

ildyria avatar Jan 14 '24 20:01 ildyria

@dan-r Check out #2475 (though untested)

ildyria avatar Jun 21 '24 16:06 ildyria

This is a valuable addition for having SSO. it does no longer require you to add a new user beforehand. I have tested this with my Keycloak environment. It works just fine. Now only if I would have user group support where I just have to add the new user to a group to give access to multiple albums, that would be awesome!

I do understand the warning about "shooting yourself in the foot" when using other, public OIDC authentication mechanisms. Anyone can log in and create an account.

jsaathof avatar Jul 05 '24 10:07 jsaathof

I have Google OAuth2 setup and can authenticate to Lychee successfully.

My understanding is that we need to create a Lychee account first, then a user can click on the G icon and authenticate via OAuth.

I have the following defaults:

oauth_create_user_on_first_attempt 0
oauth_grant_new_user_upload_rights 0
oauth_grant_new_user_modification_rights 0

I can authenticate with Google even if I dont have a Lychee account created. Also it looks like the admin account since I can view Settings etc.

What could I be missing?

Thanks.

hhanzo1 avatar Jul 21 '24 01:07 hhanzo1

wohowowowo

My understanding is that we need to create a Lychee account first, then a user can click on the G icon and authenticate via OAuth.

Yes.

I can authenticate with Google even if I dont have a Lychee account created. Also it looks like the admin account since I can view Settings etc.

That would be BAD.

Let me check.

ildyria avatar Jul 21 '24 15:07 ildyria

I can authenticate with Google even if I dont have a Lychee account created. Also it looks like the admin account since I can view Settings etc.

Can you check in the admin user profile panel what is in the "Set up Oauth authentication" part. I am not able to reproduce your bug with my GitHub Oauth.

ildyria avatar Jul 21 '24 15:07 ildyria

Can you check in the admin user profile panel what is in the "Set up Oauth authentication" part.

It shows 'Set up Google', I click on it then it says 'Google token registered (reset)'

I am not able to reproduce your bug with my GitHub Oauth.

~~I'll test again today and will test with Github Oauth then report back.~~

I tested with Github Oauth and get the same behaviour. I can authenticate with my Github account without an established Lychee account as admin. I've tried incognito mode and on mobile phone with the same result.

There must be something wrong in my config attached maybe?

lychee-diag.txt

In my .env not sure if this is related?

SECURITY_HEADER_HSTS_ENABLE=false
SECURITY_HEADER_CSP_CONNECT_SRC=
SECURITY_HEADER_SCRIPT_SRC_ALLOW=
SESSION_SECURE_COOKIE=false

and the Oauth config looks like this

GITHUB_CLIENT_ID=********************
GITHUB_CLIENT_SECRET=*******************************
GITHUB_REDIRECT_URI=/auth/github/redirect

GOOGLE_CLIENT_ID=*********************************************.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-****************************
GOOGLE_REDIRECT_URI=/auth/google/redirect

hhanzo1 avatar Jul 21 '24 22:07 hhanzo1

It shows 'Set up Google', I click on it then it says 'Google token registered (reset)'

It literally says here that the google token is linked. Just click reset and it will be fine.

ildyria avatar Jul 22 '24 15:07 ildyria

When you click on set up the connection, you are linking the account to your google account! Like this is the INTENDED behavior.

ildyria avatar Jul 22 '24 15:07 ildyria

When you click on set up the connection, you are linking the account to your google account! Like this is the INTENDED behavior.

OK. This is point that I was missing.

Updated flow:

  1. Add a new local account and password
  2. Authenticate with new local account <-- critical step
  3. Choose U2F then select Set up Google
  4. Logout
  5. Authenticate with Google by clicking on the G

I can confirm it's working great.

Thank you!

hhanzo1 avatar Jul 22 '24 23:07 hhanzo1